17  Bluetooth Security

In 60 Seconds

BLE encryption uses AES-CCM with 128-bit keys, but security depends on how keys are generated during pairing. The key hierarchy flows from Temporary Key to Short Term Key to Long Term Key, with IRK for address privacy and CSRK for data signing. Match pairing method to data sensitivity: “Just Works” for public data only, Numeric Comparison for personal data, Out-of-Band for medical or financial applications.

Minimum Viable Understanding

BLE encryption uses AES-CCM with 128-bit keys, but the real security depends on how those keys are generated during pairing. The key hierarchy flows from Temporary Key (TK) to Short Term Key (STK) to Long Term Key (LTK), with IRK for address privacy and CSRK for data signing. Always match your pairing method to data sensitivity: “Just Works” for public data only, Numeric Comparison for personal data, and Out-of-Band (OOB) for medical, financial, or industrial applications.

17.1 Learning Objectives

By the end of this chapter, you will be able to:

• Explain BLE Encryption Architecture: Describe how AES-CCM-128 encryption and key generation methods work together in BLE
• Analyze Key Hierarchy: Distinguish the roles of LTK, IRK, and CSRK in BLE security and justify when each is applied
• Apply Security Decision Framework: Select appropriate security levels for different IoT application contexts
• Implement Best Practices: Configure secure pairing and key storage for IoT deployments

For Beginners: Bluetooth Encryption and Keys

Bluetooth encryption protects data by scrambling it so that only devices with the right key can read it. Think of encryption keys as the secret decoder ring that two devices share during pairing. Without the key, intercepted Bluetooth data looks like random noise to an eavesdropper.

Sensor Squad: The Key Kingdom!

“Bluetooth uses a whole family of keys to keep data safe!” Sammy the Sensor said. “It starts with a Temporary Key during pairing, which creates a Short Term Key, which eventually becomes a Long Term Key. It is like getting a day pass, then a weekly pass, then a permanent membership card!”

“Think of the key hierarchy like layers of security at a castle,” Lila the LED suggested. “The outer wall is the Temporary Key. The inner wall is the Short Term Key. And the treasure vault uses the Long Term Key. Each layer makes it harder for intruders to get through!”

Max the Microcontroller explained, “There are also special-purpose keys. The IRK – Identity Resolving Key – lets me change my Bluetooth address periodically so trackers cannot follow me around. And the CSRK – Connection Signature Resolving Key – lets me verify that messages really came from a trusted device and were not tampered with.”

“The most important thing,” Bella the Battery said, “is that stronger encryption methods do not necessarily use more power. AES-CCM encryption with 128-bit keys is built into the Bluetooth hardware, so it runs efficiently. The real energy cost is in the pairing process itself, and once that is done, secure communication barely affects my battery life at all!”

17.2 Prerequisites

Before diving into this chapter, you should be familiar with:

• Bluetooth Security: Pairing Methods: Understanding BLE pairing process and method comparison
• Basic Cryptography Concepts: Familiarity with AES encryption and key exchange (ECDH)

17.3 BLE Encryption Architecture

BLE supports multiple encryption architectures depending on the pairing method and Bluetooth version. The diagram below shows the key generation process for Legacy Pairing, LE Secure Connections, and BR/EDR Secure Connections.

Figure 17.1: Source: University of Edinburgh IoT Security Course

Key Generation Methods:

Method	Key Function	Input Parameters	Security Level
LE Legacy	s1(AES-128)	TK, Mrand, Srand	Basic (vulnerable to passive eavesdropping)
LE Secure Connections	f5(AES-CMAC-128)	DHKey, N1, N2, Addresses	Strong (ECDH with P-256 curve protection)
BR/EDR Secure	h6/h7(AES-CMAC-128)	Link Key, SALT	Strong (cross-transport key derivation)

17.4 BLE Key Hierarchy

Understanding the BLE key hierarchy is essential for implementing secure IoT applications:

Figure 17.2: BLE Encryption Key Hierarchy and Management

Key Types Explained:

• TK (Temporary Key): Generated during pairing, depends on pairing method
• STK (Short Term Key): Session encryption key derived from TK using the s1 function with AES-128; used only for the initial encrypted session in legacy pairing, then replaced
• LTK (Long Term Key): 128-bit key stored after bonding; enables reconnection without re-pairing. In legacy pairing, identified by the EDIV (Encrypted Diversifier) and Rand (64-bit random number) values
• IRK (Identity Resolving Key): Enables private address resolution for privacy; allows a bonded device to resolve resolvable private addresses back to the known identity
• CSRK (Connection Signature Resolving Key): Signs unencrypted data packets to verify integrity and authenticity over unencrypted LE links
• DHKey: In LE Secure Connections (BLE 4.2+), the Diffie-Hellman shared secret computed from P-256 ECDH; the basis for deriving MacKey and LTK via the f5 function

17.4.1 Knowledge Check: BLE Key Roles

17.5 Security Decision Framework

17.5.1 Choosing the Right BLE Security Level

Use “Just Works” ONLY when:

• Public beacon data (no sensitive information)
• Read-only sensor broadcasting (weather station)
• Device has no display, keyboard, or NFC
• Data is already encrypted at application layer
• Example: Public temperature beacon in park
• Risk acceptance: Anyone can read data (that’s the intent)

Use Passkey Entry when:

• Device has display OR keyboard (not both)
• Static PIN acceptable (e.g., printed on device)
• Moderate security sufficient
• Example: Wireless keyboard (displays 6-digit PIN)
• Security: 1 million possible PINs (secure if random)
• Weakness: Static PIN vulnerable if observed

Use Numeric Comparison when:

• Both devices have displays
• User can verify 6-digit code
• High security required
• Example: Smartphone pairing with tablet
• Security: 1 million codes + visual verification (prevents MITM)
• Best for: Consumer IoT (phones, smartwatches, tablets)

Use Out-of-Band (OOB) when:

• Maximum security required
• Device has NFC or can display QR code
• Medical, financial, or industrial applications
• Example: Payment terminal with NFC
• Security: Attacker must compromise both channels (Bluetooth + NFC/QR)
• Best for: Smart locks, medical devices, payment systems

17.5.2 Security Comparison Table

Method	Auth Bits	MITM Protection	User Action	Best Use Case
Just Works	0	None	None	Public beacons only
Passkey Entry	~20 (6-digit PIN)	If passkey is secret	Enter PIN	Keyboards, mice
Numeric Comparison	~20 + visual	Strong (if user verifies)	Verify code	Smartphones, tablets
Out of Band (OOB)	Varies	Strong (if OOB channel is secure)	NFC tap / QR scan	Smart locks, commissioning

Numbers explained:

• 0 bits (Just Works): No user-authenticated verification - vulnerable to active MITM during pairing
• ~20 bits (6-digit PIN): About 1,000,000 possibilities - treat as modest entropy
• OOB: Security depends on the out-of-band channel and the secret you exchange

Putting Numbers to It

The brute-force attack time against a passkey depends on entropy and attack rate:

\[T_{attack} = \frac{2^{entropy}}{R_{attempts}} \times 0.5\]

where \(R_{attempts}\) is the number of pairing attempts per second (factor 0.5 assumes average case).

Example: A 6-digit PIN (000000-999999) provides: - Entropy: \(\log_2(1,000,000) = 19.93\) bits - If attacker attempts 10 pairings/second: \(T_{attack} = \frac{2^{19.93}}{10} \times 0.5 = \frac{1,000,000}{10} \times 0.5 = 50,000\) seconds ≈ 13.9 hours

For LE Secure Connections with rate limiting (1 attempt per 30 seconds after 3 failures): - Effective rate: 0.033 attempts/second - \(T_{attack} = \frac{1,000,000}{0.033} \times 0.5 \approx 15,000,000\) seconds ≈ 174 days

Rate limiting transforms a 14-hour attack into a 174-day attack, making brute force impractical. This is why BLE devices MUST implement retry delays.

Interactive: BLE Brute-Force Attack Time Calculator

Adjust PIN length and rate limiting to see how they affect brute-force attack duration.

viewof pinDigits = Inputs.range([4, 8], {
  value: 6,
  step: 1,
  label: "PIN Digits"
})

viewof maxAttempts = Inputs.range([1, 10], {
  value: 3,
  step: 1,
  label: "Attempts Before Lockout"
})

viewof lockoutSeconds = Inputs.range([10, 300], {
  value: 60,
  step: 10,
  label: "Lockout Duration (seconds)"
})

viewof attemptSpeed = Inputs.range([0.5, 5], {
  value: 1,
  step: 0.5,
  label: "Seconds per Attempt"
})

{
  const totalCombinations = Math.pow(10, pinDigits);
  const avgToGuess = totalCombinations / 2;

  // Without rate limiting
  const unlimitedTime = avgToGuess * attemptSpeed;
  const unlimitedDays = unlimitedTime / 86400;

  // With rate limiting
  const cycleTime = (maxAttempts * attemptSpeed) + lockoutSeconds;
  const cycles = avgToGuess / maxAttempts;
  const limitedTime = cycles * cycleTime;
  const limitedDays = limitedTime / 86400;

  const slowdownFactor = (limitedTime / unlimitedTime).toFixed(1);

  const color1 = "#2C3E50";
  const colorLimited = limitedDays > 100 ? "#16A085" : limitedDays > 30 ? "#E67E22" : "#E74C3C";
  const colorUnlimited = unlimitedDays > 100 ? "#16A085" : unlimitedDays > 30 ? "#E67E22" : "#E74C3C";

  return html`<div style="background: #f8f9fa; border-radius: 8px; padding: 1.2rem; font-family: Arial, sans-serif;">
    <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 1rem; margin-bottom: 1rem;">
      <div style="background: white; padding: 1rem; border-radius: 6px; border-left: 4px solid ${color1};">
        <div style="font-size: 0.85rem; color: #666;">Total Combinations</div>
        <div style="font-size: 1.5rem; font-weight: bold; color: ${color1};">${totalCombinations.toLocaleString()}</div>
      </div>
      <div style="background: white; padding: 1rem; border-radius: 6px; border-left: 4px solid ${colorUnlimited};">
        <div style="font-size: 0.85rem; color: #666;">Without Rate Limiting</div>
        <div style="font-size: 1.5rem; font-weight: bold; color: ${colorUnlimited};">${unlimitedDays < 1 ? (unlimitedTime / 3600).toFixed(1) + " hours" : unlimitedDays.toFixed(1) + " days"}</div>
      </div>
      <div style="background: white; padding: 1rem; border-radius: 6px; border-left: 4px solid ${colorLimited};">
        <div style="font-size: 0.85rem; color: #666;">With Rate Limiting</div>
        <div style="font-size: 1.5rem; font-weight: bold; color: ${colorLimited};">${limitedDays < 1 ? (limitedTime / 3600).toFixed(1) + " hours" : limitedDays > 365 ? (limitedDays / 365).toFixed(1) + " years" : limitedDays.toFixed(0) + " days"}</div>
      </div>
      <div style="background: white; padding: 1rem; border-radius: 6px; border-left: 4px solid #16A085;">
        <div style="font-size: 0.85rem; color: #666;">Slowdown Factor</div>
        <div style="font-size: 1.5rem; font-weight: bold; color: #16A085;">${slowdownFactor}x</div>
      </div>
    </div>
    <div style="font-size: 0.8rem; color: #666;">Rate limiting (${maxAttempts} attempts then ${lockoutSeconds}s lockout) slows brute-force by ${slowdownFactor}x. A ${pinDigits}-digit PIN has ${totalCombinations.toLocaleString()} combinations.</div>
  </div>`;
}

17.5.3 Security Selection Decision Tree

Figure 17.3: BLE Security Method Selection Decision Tree

17.5.4 Security Decision Matrix

Data Sensitivity	Minimum (Link-Layer)	Recommended Controls	Example
Public	None (if acceptable)	Avoid pairing; sign data if integrity matters	Weather beacon
Personal	AES-CCM-128 (encrypted link)	LE Secure Connections + bonding + privacy addresses	Fitness tracker
Medical / safety	AES-CCM-128 (encrypted link)	Authenticated pairing (Numeric Comparison/OOB), secure firmware updates, strong device identity	Glucose monitor
Financial / high-value	AES-CCM-128 (encrypted link)	OOB pairing where possible, hardened key storage, end-to-end authn/authz	Payment terminal
Industrial / control	AES-CCM-128 (encrypted link)	Application-layer integrity/authentication, logging, and lifecycle key management	Factory sensor

Note: Compliance requirements vary by jurisdiction and product. Link-layer encryption is important, but it is not sufficient on its own for most regulated systems.

17.6 Best Practices

Do:

• Pair in secure environment
• Use numeric comparison or OOB
• Update firmware regularly
• Disable when not needed
• Remove unused pairings

Don’t:

• Avoid “Just Works” mode for sensitive data
• Don’t pair unknown devices
• Never assume range limits provide security

17.7 Common Pitfalls

Pitfall: Using “Just Works” Pairing Because the Device Has No Display

The Mistake: Implementing “Just Works” pairing for displayless IoT devices (sensors, beacons, smart plugs) because “there’s no way to show a PIN,” leaving devices permanently vulnerable to MITM attacks during every pairing attempt.

Why It Happens: Developers assume display-based verification (Numeric Comparison, Passkey) is the only option for secure pairing.

The Fix: Use Out-of-Band (OOB) pairing with a physical channel that attackers cannot intercept:

Figure 17.4: OOB pairing options for displayless BLE devices

Pitfall: Assuming Bonded Keys Are Secure Forever After Initial Pairing

The Mistake: Pairing a BLE device once with strong security (Numeric Comparison or OOB), then assuming the bonded connection is permanently secure - without protecting stored keys or implementing re-authentication for sensitive operations.

Why It Happens: Developers focus security effort on the initial pairing ceremony, but forget that Long Term Keys (LTK) stored in flash memory can be extracted, cloned, or used by anyone with physical access to either device.

The Fix: Implement defense-in-depth beyond pairing: protect key storage, add application-layer authorization, and consider periodic re-authentication:

// Defense layer 1: Secure key storage
// Use hardware-backed keystore when available (iOS Keychain, Android Keystore,
// secure elements on embedded devices)

// Defense layer 2: Application-layer authorization for sensitive commands
typedef enum {
    CMD_READ_SENSOR,      // Low risk: allow after BLE connection
    CMD_UNLOCK_DOOR,      // High risk: require app PIN + recent auth
    CMD_FACTORY_RESET,    // Critical: require physical button + app confirmation
    CMD_FIRMWARE_UPDATE   // Critical: require signed payload + user consent
} command_security_t;

bool authorize_command(command_t cmd, auth_context_t *ctx) {
    switch (get_security_level(cmd)) {
        case LOW:
            return ctx->ble_authenticated;  // BLE pairing sufficient
        case HIGH:
            return ctx->ble_authenticated &&
                   ctx->app_pin_verified &&
                   (time_now() - ctx->last_auth_time) < 300;  // 5-min timeout
        case CRITICAL:
            return ctx->physical_button_pressed &&
                   ctx->app_confirmation_received;
    }
}

// Defense layer 3: Key rotation and revocation
// - Implement "forget this device" that deletes LTK on both sides
// - Consider periodic re-pairing for high-security applications
// - Log pairing events for security auditing

17.8 Understanding Checks

Understanding Check: Smart Lock Security Breach

Scenario: A startup launches a Bluetooth smart lock for Airbnb hosts. During beta testing, security researchers demonstrate they can unlock any door during the initial pairing process by sitting in a car 20 meters away with a laptop. The lock uses “Just Works” pairing for “convenience” - no PIN entry required.

Think about:

1. How can an attacker unlock the door without physical access?
2. What specific vulnerability in “Just Works” pairing enables this attack?
3. The lock has AES-128 encryption AFTER pairing - why doesn’t that prevent the attack?
4. How would you redesign the lock’s security?

Key Insight: Authentication happens BEFORE encryption. “Just Works” provides:

• No user-authenticated verification step during pairing
• No protection against active MITM or pairing hijack during setup
• Link encryption does not help if the attacker becomes the paired/bonded device

Secure redesign options:

• Numeric Comparison: require the installer to confirm a code shown by the lock and the phone
• OOB commissioning: use an internal QR code / NFC tap so physical access is required to enroll
• Application-layer authorization: even after pairing, require explicit authorization for “unlock” commands

Understanding Check: Bonding vs. Pairing Trade-offs

Scenario: You’re managing a fleet of 100 Bluetooth-connected medical devices (insulin pumps) in a hospital. Nurses complain that re-pairing tablets to pumps every shift change (3x/day) wastes 5 minutes per device. IT Security insists that bonding is disabled because “stored keys are a security risk if tablets are lost or stolen.”

Think about:

1. What’s the actual security difference between pairing-only and bonding?
2. How much time is wasted without bonding? (100 devices x 3 shifts x 5 min)
3. Can you implement bonding securely with proper key management?
4. What’s the risk if a bonded tablet is stolen?

Key Insight: Bonding = convenience vs. security trade-off, but can be mitigated:

With Bonding (SECURE implementation):

• Pair once, but store keys using a hardware/OS-backed keystore (when available)
• Require user authentication (PIN/biometric) before high-risk actions
• Support revocation (remove bonds when a tablet is lost) and remote wipe
• Consider a periodic re-authentication policy based on your risk model
• Log pairing/connection events for auditability

Figure 17.5: Secure BLE bonding implementation workflow

Understanding Check: Weak PIN Attack Vector

Scenario: A device uses LE Legacy pairing and relies on a short, printed passkey/PIN (“unique per device”) for security. The team assumes “it’s encrypted, so it’s safe.”

Think about:

1. Why does low-entropy user input (e.g., a 4-6 digit passkey) matter?
2. Why can Legacy pairing be risky if an attacker records the pairing transcript?
3. What changes when you use LE Secure Connections?
4. Beyond pairing, what authorization checks should still exist for safety-critical commands?

Key Insight: Strong ciphers don’t help if key agreement/authentication is weak.

Risk framing (order-of-magnitude):

• 4-digit PIN: 10,000 guesses
• 6-digit passkey: 1,000,000 guesses (approximately 20 bits)

Safer alternatives:

1. Prefer LE Secure Connections with Numeric Comparison or OOB when possible
2. Avoid static/shared passkeys; treat printed codes as a usability step, not a long-term secret
3. Add application-layer authorization (e.g., signed “unlock” commands, role checks) even after pairing
4. Plan for revocation (remove bonds when devices are replaced/lost)

17.8.1 Knowledge Check: BLE Key Hierarchy

17.8.2 Knowledge Check: BLE Security Levels

17.8.3 Knowledge Check: LE Secure Connections

17.9 Worked Example: Quantifying BLE Pairing Attack Surfaces

Scenario: Choosing Pairing Security for a Smart Insulin Pump

A medical device manufacturer is designing a BLE-connected insulin pump. The pump communicates with a companion smartphone app to receive bolus dose commands. The design team must choose the appropriate BLE security level.

Threat Analysis – What Happens If Pairing is Compromised?

An attacker who performs a MITM during pairing becomes the bonded device. They can then issue insulin dose commands. This is a life-safety risk.

Quantifying Attack Windows by Pairing Method:

Pairing Method	Attack Type	Effort Required	Time Window
Just Works	Active MITM with commodity hardware	$20 BLE sniffer + laptop	Entire pairing duration (~5 sec)
Passkey (6-digit)	Brute-force captured pairing exchange (Legacy only)	Offline in <1 sec (1M combinations)	Must capture pairing exchange
Numeric Comparison	Social engineering user to accept wrong code	Must be present + fool user	10-sec user verification window
OOB (NFC tap)	Must physically intercept NFC (<4 cm)	Must be within 4 cm of both devices	Sub-second NFC exchange

Why OOB + Application-Layer Auth is the Right Answer:

1. OOB pairing via NFC: The nurse taps the pump to the phone. An attacker must be physically within 4 cm – essentially impossible without being noticed in a clinical setting.

2. Application-layer dose verification: Even after pairing, the app signs each dose command with the user’s PIN. The pump verifies the signature before executing. An attacker who somehow bonds still cannot issue a valid dose command without the clinician’s PIN.

3. Key rotation: The pump re-pairs weekly. Compromised keys expire automatically.

Cost of Each Security Layer:

Layer	Implementation Cost	User Inconvenience	Risk Reduction
OOB pairing (NFC)	+$0.50 NFC chip on pump	One-time tap per pairing	Eliminates remote MITM
App-layer PIN	Software only	4-digit PIN per dose	Eliminates unauthorized commands
Weekly re-pairing	Software only	~10 sec/week NFC tap	Limits key compromise window to 7 days
Combined	$0.50 hardware + software	~15 sec/week	Defense-in-depth

Key Insight: The $0.50 NFC chip eliminates the primary attack vector (remote MITM during pairing). Application-layer authorization adds a second independent barrier. Neither layer alone is sufficient for a life-safety device, but together they provide defense-in-depth at minimal cost and user friction.

Concept Relationships:

Concept	Relates To	Why It Matters
Key Hierarchy (TK→STK→LTK)	Bonding	Session keys (STK) vs stored keys (LTK) determine reconnection security
Pairing Methods	Key Generation	Authentication strength during pairing determines overall encryption security
IRK (Identity Resolving Key)	Privacy	Enables private address rotation to prevent tracking
CSRK (Signature Key)	Data Integrity	Signs unencrypted data for authenticity verification
AES-CCM-128	Link Encryption	128-bit encryption standard protects all post-pairing traffic
P-256 ECDH	LE Secure Connections	Elliptic curve key exchange introduced in BLE 4.2 to prevent passive eavesdropping of pairing

Interactive Quiz: Match BLE Encryption Key Types

Interactive Quiz: Sequence LE Secure Connections Key Generation

17.10 See Also

• Bluetooth Security: Labs and Defense-in-Depth - Hands-on security demonstrations
• Bluetooth Security: Pairing Methods - Choosing appropriate pairing for threat model
• Cryptography Fundamentals for IoT - AES and key exchange basics

🏷️ Label the Diagram

💻 Code Challenge

17.11 Summary

This chapter covered BLE encryption and key management:

• Encryption Architecture: AES-CCM-128 with 128-bit keys, three key generation methods (Legacy, LE Secure Connections, BR/EDR)
• Key Hierarchy: TK -> STK -> LTK, plus IRK for privacy and CSRK for signatures; legacy pairing uses EDIV+Rand to identify the LTK on reconnection
• LE Secure Connections: Introduced in BLE 4.2, uses P-256 ECDH to prevent passive eavesdropping of the pairing exchange; LTK and MacKey derived via the f5 function
• Security Decision Framework: Match pairing method to data sensitivity and device capabilities
• Best Practices: Use secure key storage, implement authorization layers, plan for revocation
• Common Pitfalls: OOB alternatives for displayless devices, defense-in-depth beyond initial pairing

17.12 What’s Next

Topic	Chapter	Why It Matters
Hands-on BLE security labs	Bluetooth Security: Labs and Defense-in-Depth	Apply key concepts in ESP32 BLE security demonstrations and attack/defense scenarios
Pairing methods in depth	Bluetooth Security: Pairing Methods	Compare Just Works, Passkey, Numeric Comparison, and OOB with threat model analysis
Cryptography foundations	Encryption Principles and Crypto Basics	Understand AES-CCM, ECDH, and the primitives underlying BLE key generation
IoT authentication patterns	Authentication and Access Control	Extend BLE pairing security with application-layer identity and authorization
IoT threat landscape	IoT Security Threats Overview	Place BLE attack vectors in the broader context of IoT security risks